Pysa ransomware: What it is and how to protect yourself

Pysa is a form of human-operated ransomware that encrypts data on a victim’s computer and demands a ransom for restoring access. Pysa stands for “Protect your system amigo,” which is a sentence included in the ransom note left on infected devices.

Pysa is categorized as a Ransomware-as-a-Service (RaaS), which means that its developers offer ransomware for other criminal organizations that don’t have the capabilities of producing their own malicious programs. The previous version of this ransomware was known as Mespinoza.

The cybercriminals behind Pysa target high-value organizations like government institutions or healthcare providers that are more time-sensitive. Imagine if a hospital was locked out of its patients’ data and couldn’t access its IT systems. Every wasted minute could be fatal and lead to damaged reputation, financial losses, and lawsuits.

Pysa, or Mespinoza ransomware, works by infiltrating the victim’s computer or network and locking the victim out of their files. Hackers use phishing emails, brute-force attacks on servers in which the RDP (Remote Desktop Protocol) or AD (Active Directory) is open to the internet, and social engineering techniques to spread Pysa ransomware. However, Pysa ransomware distribution also relies on exploiting vulnerabilities in network infrastructure, for example, insecure remote access systems.

Once inside the system, Pysa encrypts the files and data so that you can’t access them. The ransomware then displays a ransom note demanding payment, usually in cryptocurrency, in exchange for a decryption key to unlock the files. Victims are allowed to send two files (no more than 2 MB) to criminals, so they can decrypt them and prove that their ransom demands are serious. Known for exfiltrating data before encryption, Pysa adds additional pressure for its victims by threatening to release sensitive information publicly.

Pysa encrypts all non-system files using AES encryption combined with RSA. Even if you delete the ransomware from your computer and restore your system, your files will still be inaccessible. When Pysa encrypts your files, they all acquire the .pysa filename extension. Let’s say you have a file called “cat.avi”. After your device is infected with ransomware, the filename will change to “cat.avi.pysa”.

Before encrypting your files, hackers steal all the sensitive data from the targeted computer, so they have leverage against you. If you refuse to meet their ransom demands, they can dump all the stolen data on the dark web.

However, you can never be sure if hackers will decrypt your files even after paying them. Cybersecurity experts discourage people from paying criminals and feeding their business model.

The most notorious Pysa ransomware attacks have affected public sector organizations and industries with sensitive data. Originating in 2019, Pysa ran rampant in 2020 and 2021, and it’s still active today.

• In May 2020, MyBudget, an Australian financial services company, was hit by Pysa and went out of service for almost two weeks. Criminals posted MyBudget’s name on the dark web along with those of other businesses they successfully hacked, pressuring them to pay the ransom. The company’s name was later removed from the dark web, suggesting that they negotiated with the hackers and met their demands.
• In October 2020, Hackney Council in London confirmed it had been a victim of a Pysa ransomware attack, which affected its IT services. Several months later, criminals dumped a bunch of their stolen data online, containing passport details, photo IDs, and staff information.
• In April 2021, Haverhill Public Schools in Massachusetts were closed after Pysa ransomware attacked their computer systems. Public schools are especially vulnerable to cyberattacks because many of them use outdated software and their staff lack cybersecurity training. The FBI claims that Pysa has been used against a number of schools in the US and the UK and continues to search for new victims.

Train your staff. Raising awareness among your employees about phishing emails and ransomware is key to successfully fighting cybercriminals. Many organizations conduct phishing simulations, so their employees can learn how to identify malicious emails.

Update your software on time. Postponing software updates can put a device at serious risk because criminals might exploit a bug or vulnerability that software developers fixed months ago. Even in global corporations you can still find employees running old versions of software that should have been updated multiple times.

Use strong passwords. Make sure to use uppercase and lowercase letters combined with special characters and numbers in your passwords. It’s important to create unique passwords for all your accounts because one compromised account could open the gates to other services you use.

Backup your files. Many people think nothing will ever happen to them — until it does. Don’t take unnecessary risks and always back up your sensitive data. You can never be sure if you won’t end up with malware, ransomware, or any other malicious program on your computer.

Apart from software updates and strong passwords, one of the most common ways to improve your overall digital security is to use a reputable VPN. A VPN redirects your internet data through an encrypted tunnel, thus improving your online security. If you often connect to public networks, having a VPN enabled on your device is crucial for staying safe.

With one NordVPN account, you can protect up to six different devices: laptops, tablets, smartphones, and more. NordVPN has more than 6,000 servers in 60 countries, providing users with the best speeds in the VPN industry. While a VPN won’t directly protect against malware infection, it will raise your overall privacy and security.

Businesses can also benefit from NordLayer, which allows employees to securely access their company’s data and online resources.

NordVPN also offers the Threat Protection feature that neutralizes cyber threats before they can do any real damage to your device. It helps you identify malware-ridden files, stops you from landing on malicious websites, blocks trackers and stops intrusive ads on the spot.

FAQ

Is Pysa ransomware still active?

Yes, Pysa ransomware is still active. It emerged in 2019 and did the most damage in 2020 and 2021. However, even though Pysa ransomware attacks have decreased since then, the group behind this malicious software has not ceased its activities.

What is a Pysa file?

A Pysa file is a file that has been encrypted by the Pysa ransomware. When Pysa encrypts your file, the file’s extension changes to “.pysa.” These files are inaccessible to you unless you get a decryption key that attackers offer in exchange for payment. However, paying the ransom does not guarantee that you’ll get your data back, and can encourage further criminal activity.